Year: 2010

UPDATE (2/8): Based on some recent questions, additional information has been posted about SHA2 and Windows. Introduction We’ve recently received a couple of requests from customers around the functionality of SHA-256 when running on Windows XP and 2003. This has been more important recently, as NIST has recommended the migration off of SHA-1 by end…

If you are unsure regarding the Microsoft Certificate server virtualization policy, just see the Microsoft Virtual Server support policy knowledgebase article at http://support.microsoft.com/kb/897613. It is worth to mention that a hardware security module (HSM) is always recommended when operating a certification authority on a virtual Windows Server. The rational behind this recommendation is quite simple:…

[EDIT 2/20/2012] This problem has recently been resovled in a hotfix update. System state backup does not include CA private keys in Windows Server 2008 or in Windows Server 2008 R2 – http://support.microsoft.com/kb/2603469 Backing up a Windows Server 2008 (Including 2008 R2) Certification Authority (ADCS) involves a few extra steps compared to earlier…

Below is a list of ports that need to be opened on Active Directory Certificate Services servers to enable HTTP and DCOM based enrollment The information was developed by Microsoft Consultant Services during one of our customer engagements Protocol Port From To Action Comments Kerberos 464 Certificate Enrollment Web Services Domain Controllers…

Environmental Dependencies: 1- Determine if the Active Directory Forest has Windows 2000 Domain Controllers. This is important because of modifications to the CertPublishers group scope, and permissions related to the AdminSDHolder role. These permissions can be added by using the Dsacls command. 2- Determine if the Active Directory Schema was upgraded to at least Windows…

Recently, we’ve had a deluge of questions regarding chain building and selection, especially in the presence of cross-certified certificates. Hopefully, this post will make Crypto API 2 (CAPI2) chaining logic clearer and help enterprise admins design and troubleshoot their public key infrastructure. While trying to validate an end entity, CAPI2 tries to select the best quality…

This script writes a Certification Authority’s Certificate Revocation List to HTTP based CRL Distribution Points via a UNC path. It checks to make sure that the copy was successful and that the CDPs have not and are not about to expire. Alerts/status messages are sent via SMTP and eventlog entries. Performs the following steps: Determines…

Today many servers require some sort of SSL certificate to be deployed and in many cases custom names are involved. My colleague just published a document How to Request a Certificate With a Custom Subject Alternative Name that I strongly recommend reading.

Introduction: When designing a public key infrastructure (PKI) for your organization, you must develop an effective disaster recovery plan to ensure that, in the event of failure of the computer hosting Certificate Services, you can recover in a timely manner with little effect on your organization. Common Reasons that Make a Disaster Recovery Plan…